Fixes #36365 - Drop usage of sudo for any pulpcore-manager commands #727
Conversation
|
Issues: #36365 |
There was a problem hiding this comment.
Technically we should run all pulpcore-manager commands as the pulp user. Especially when it writes files that's crucial. When running as root, then you can end up with file permission problems.
IMHO we need some wrapper for pulpcore-manager with the correct env vars etc.
I do agree and that is what my initial thought was. The same is mentioned in the BZ as well. But so far, these commands are being executed as the root user only ( with sudo ) and things are working just fine. I also discussed with the Pulp team about it and they confirmed that If I am passing along with the If your recommendation remains the same, Then I can try to think of something about that wrapper or else I would have to call both the commands in this way i.e. |
|
While it's true that when it's DB-only it's fine, it is a problem when root starts to write files to The correct tool for switching user in scripts is |
And to add on, Both of these commands ( from where sudo is being removed ) are performing database-level actions ( on pulpcore ) as database user pulp and the user is being picked up from |
I just noticed this one and yes, Agreed. Writing on disk as root is super bad but fortunately, neither of these actions is doing so. And also, whether it's runuser or su, as pulp is associated with nologin shell, we need to pass I will wait for your final recommendation here and take the necessary actions as per the same. |
theforeman-bot
added
Needs re-review
Waiting on contributor
and removed
Waiting on contributor
labels
|
Pushed changes in the commit as per previous suggestions. Now foreman_maintain should run the pulpcore db migration and trim-changelogs steps as @ekohl Please, Let me know if that looks good to you or if any other recommendations would be there |
There was a problem hiding this comment.
You can avoid the additional shell by using runuser -u pulp.
# getent passwd pulp
pulp:x:974:964::/var/lib/pulp:/sbin/nologin
# runuser - pulp id
This account is currently not available.
# runuser -u pulp id
uid=974(pulp) gid=964(pulp) groups=964(pulp) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023And I'm pretty sure DJANGO_SETTINGS_MODULE isn't needed. pulpcore-manager is precisely that. See https://github.com/pulp/pulpcore/blob/7c6d59f5f302efab669e335a23f1912eae739f2c/pulpcore/app/manage.py#L7 for details. Sadly it doesn't set PULP_SETTINGS either but you can't have it all.
So I think PULP_SETTINGS=/etc/pulp/settings.py runuser -u pulp pulpcore-manager $COMMAND would be the best invocation.
|
Given y'all have aligned on a common structure for calling commands, adding that as a function in |
I actually had tried it but it failed and my mistake was that I passed And I never removed Now, even if I have this working i.e. as soon as i try the same with migrate, It will not work . Examples: That is why I resorted to the generic approach i.e. |
|
I'ts probably interpreting |
It does the trick.. I have force pushed the changes now. |
If root is not allowed to use sudo , users will bound to run into either of these issues during upgrade or restore
or
Since we anyway run foreman-maintain\satellite-maintain as the root user, Let's remove the usage of sudo to run those commands normally.
I did a test for restore and upgrade with these changes and they worked just fine.
It would also probably need to go in 1.2.X ( if any future releases are planned )